Professional Documents
Culture Documents
Security
for Beginners - Part 1
adzmely mansor
adzmely@gmail.com
MindSet
Mindset
different people see things differently
Security Mindset
security requires a particular mindset:
they see the world differently:
a thief (a security oriented profession)
they cant walk into a store without noticing and
counting how many CCTV installed and towards
what directions. any possible blind spot?
engineers/programmers
thinking about how things can be made to work
security engineers
thinking about how things can be made to fail
security engineers
thinking like an attacker or criminal
if you dont see the world that way
you will never notice most security problems
HTTP Protocol
the fundamental
why bother?
facilitates debugging
improves understanding of
security
HTTP Protocol
application layer (TCP/IP)
client - server
set of rules on how data is
transmitted
HTTP Protocol
Client
Browser
Internet
Proxy
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
example.com
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
example.com
93.184.216.119
browser cache/hosts file/DNS
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
example.com
93.184.216.119
browser cache/hosts file/DNS
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
Server:
example.com
LB/Cache
Web
TCP/IP
connection
3
way
handshake
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
Server:
example.com
LB/Cache
Web
TCP/IP
connection
3
way
handshake
SYN
u
there
bro?
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
Server:
example.com
LB/Cache
Web
TCP/IP
connection
3
way
handshake
SYN
u
there
bro?
Yup!!!
SYN-ACK
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
Server:
example.com
LB/Cache
Web
TCP/IP
connection
3
way
handshake
SYN
u
there
bro?
Yup!!!
ACK
SYN-ACK
cool!!!
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
HTTP
Protocol
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
HTTP
Protocol
GET /
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
HTTP
Protocol
GET /
200 OK
index.html content
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Server:
example.com
LB/Cache
Web
Proxy
HTTP
Protocol
$ telnet vps 80
Trying 188.241.112.26...
Connected to webfirewall.xjutsu.com.
Escape character is '^]'.
GET / http/1.1
Host: vps
HTTP/1.1 200 OK
Date: Mon, 07 Oct 2013 15:17:05 GMT
Server: Apache/2.2.16 (Ubuntu)
Last-Modified: Fri, 04 Oct 2013 01:23:15 GMT
ETag: "71d88de-0-4e7e02584e6c0"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Cache-Control: max-age=10800
Content-Type: text/html
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
HTTP
Protocol
GET /
200 OK
index.html content
GET /images/banner.jpg
200 OK
Server:
example.com
LB/Cache
Web
DB/Storage
HTTP Protocol
Client
Browser
Internet
Proxy
Server:
example.com
LB/Cache
Web
TCP/IP
connection
FIN
bye,
im
done!
Sayonara!!!
FIN-ACK
DB/Storage
HTTP Protocol
Client
HTTP Request
HTTP Response
Server
HTTP Protocol
Client
Server
HTTP Request
Request Line
Optional
Content
request method
requested resource
HTTP version used
Request Header
general headers
request headers
entity headers
HTTP Protocol
Client
Server
HTTP Response
HTTP/1.1 200 OK
Date: Mon, 23 May 2005 22:38:34 GMT
Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Etag: "3f80f-1b6-3e1cb03b"
Content-Type: text/html; charset=UTF-8
Content-Length: 131
Connection: close
<html> ....
D
s
Connection: close
u
t
ta
S
<html> ....
Optional
Content
Headers
general headers
response headers
entity headers
HTTP Protocol
Stateless Protocol
each request independent transaction
unrelated to any previous request
to overcome this issue at application level
cookies are used
HTTP Protocol
Cookies
are text files stored by client browser
maintain session by storing information
are non executable
RFC 2616
RFC 2965
HTTP Protocol
&
Handling Statelessness
Exercise
SYN Flood
Attack
SYN Flood. The attacker sends several
packets but does not send the "ACK"
back to the server. The connections
are hence half-opened and consuming
server resources.
SYN Flood
Mitigation
RFC 4987: TCP SYN Flooding Attacks
and Mitigations
http://www.digitalattackmap.com
http://www.arbornetworks.com/threats
HTTP Header
attack vector
HTTP Host
Header Attack
under certain condition it is
possible, because of mistake
by developers trusting client
side HTTP headers
~$ telnet attack.com
GET / HTTP/1.1
Host: evil.com
N
not FQD
tice
o
n
/
r
o
r
path)
r
t
e
o
p
o
h
r
p
t
umen
c
pecte d
o
x
e
d
(
n
u
e
losur
c
s
i
d
n
r matio
o
f
n
i
ce,
i
t
o
n
/
r
o
hp er r
p
d
e
t
c
e
POST
_
P
T
T
H
unexp
t) in
o
d
(
.
g
expectin
sent
e
n
o
n
t
bu
ent
r
e
f
f
i
d
f in e
e
d
o
t
T
_HOS
P
T
T
H
g
usin
ge
ro ute/pa
Exercise:
http://188.241.117.154/__wslab__/wcp/
HTTP Authentication
Basic - Authentication
Basic - Authentication
use combination of username and password to authenticate
user
start with GET request without any authentication
credentials
server respond with 401 Authorization Required
browser pop-up requesting for credentials
browser sent requested resource with Authorization line
Basic - Authentication
using BURPSuite to intercept :
possible to have control of traffic that is exchanged
between a web browser and a web servers
manipulate data before it is sent
help to map/monitor data exchanged between browser
and web server in order to find possible vulnerabilities
Basic - Authentication
initial GET request:
Basic - Authentication
server respond with HTTP/1.1 401 Authorization Required
Basic - Authentication
browser pop-up requesting for credentials, and after submit:
Basic - Authentication
browser pop-up requesting for credentials, and after submit:
GET /__wslab__/auth/ HTTP/1.1
Host: 188.241.117.154
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Basic YWRtaW46cEBzc3cwcmQ=
Basic - Authentication
browser pop-up requesting for credentials, and after submit:
GET /__wslab__/auth/ HTTP/1.1
Host: 188.241.117.154
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Basic YWRtaW46cEBzc3cwcmQ=
Base 64
Basic - Authentication
data/credentials being passed over plain text
solution Basic Auth over SSL/HTTPS
data sent in encrypted format
value of Authorization will not be visible
however still vulnerable to client side attack - MiTM
vulnerable via brute - force attack
Digest Authentication
Digest Authentication
improvement over Basic - Authentication
data is not passed over cleartext but in encrypted format
Digest Authentication
improvement over Basic - Authentication
originally specified by RFC2069
Authentications
Exercise: by using your browser pointing to burp-suite as a
http proxy, open following sites:
basic: http://188.241.117.154/__wslab__/auth
digest: http://188.241.117.154/__wslab__/authd
Session/Cookie
Hijacking
Session Hijacking
HTTP is stateless protocol
session/cookies used to maintain a session
exploitation of valid web application session to gain
unauthorized access
session fixation
session sidejacking
Session Fixation
session fixation
sending a malicious crafter link that contains a particular
session id
http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID
Session Fixation
cross-subdomain cooking
a sub domain been compromised - news.example.com
visiting news.example.com set session cookies with
*.example.com to victim browser
when the victim visit www.example.com, and login, the
cookies previously set will be sent with the request
Session Sidejacking
when attacker uses packet sniffing to read network traffic to
steal session cookies
unsecured WiFi hotspots
unsecured Web Application
only use HTTPS during authentication
using HTTP for the rest of the site after authenticated
Session Sidejacking
several exploits tools:
Firesheep - mozilla extension, made easy for user of unencrypted public WiFi to be attacked by session hijackers
WhatsApp sniffer - able to display messages from other
WhatsApp users connected to same network
DroidSheep - listens to HTTP protocol sent via wireless and
extract session id from these HTTP packets
Session Hijacking
Exercise: open http://demo.testfire.net
using burp-suite / firefox - firebug
study the HTTP headers - request/respond
login ID : sjoe/jsmith/cclay/sspeed
password : demo1234
Security
Misconfiguration
Security Misconfiguration
Web application rely on secure foundation
everywhere from the OS up through the App Server
including all the libraries/tools you are using
do you change all credentials regularly in production env?
do you remove all example comes together with tools you
are using?
Security Misconfiguration
Typical Impact
install backdoor through missing OS or server patch
XSS/SQL injection/etc flaws due to missing application
library/framework patches
Un-authorized access to defaults accounts or un-used but
accessible functionality due to poor installation related to
tools used or server configuration
Security Misconfiguration
Protection
verify systems configuration management
secure configuration hardening guideline
must cover entire platform and application
keep up with patches for all components
Deactivate unnecessary stuff